e0bdf191adb3626c0a6fec9c43b7339183ddc7afd31845393d9de9b9210b92bf

Analysis

max time kernel
94s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a1629b18c21bd85cdcd52f2f9f715dd.exe
Size

1.4MB
MD5

1a1629b18c21bd85cdcd52f2f9f715dd
SHA1

acdef85fb554993253ec0f8466b88f7c89212e83
SHA256

e0bdf191adb3626c0a6fec9c43b7339183ddc7afd31845393d9de9b9210b92bf
SHA512

54dbca6f8629fb493743d2b787af9d326872ee1fbaa9c4c314e0de73528c806cdc63d9c94edbd1ffb701d71fb2e8b45960749c8777c1297bf63a2be1737dac9f
SSDEEP

24576:S0CzsVUGO/58jXDhShkB/yxKiRc9gH8z/ppyw777rVo8z+Ql1FzwSlMu:izqOej2kB/yHAgcz/jyeaocSlMu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2564	77.exe
2932	360saf1.exe
2428	360saf1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 2660	2428	360saf1.exe	95

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\360saf1.exe	77.exe
File opened for modification	C:\Windows\360saf1.exe	77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2276	2660	WerFault.exe	95

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\IESettingSync	1a1629b18c21bd85cdcd52f2f9f715dd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	1a1629b18c21bd85cdcd52f2f9f715dd.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	1a1629b18c21bd85cdcd52f2f9f715dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1a1629b18c21bd85cdcd52f2f9f715dd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2564	77.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4676	1a1629b18c21bd85cdcd52f2f9f715dd.exe
4676	1a1629b18c21bd85cdcd52f2f9f715dd.exe
4676	1a1629b18c21bd85cdcd52f2f9f715dd.exe
4676	1a1629b18c21bd85cdcd52f2f9f715dd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2564	4676	1a1629b18c21bd85cdcd52f2f9f715dd.exe	91
PID 4676 wrote to memory of 2564	4676	1a1629b18c21bd85cdcd52f2f9f715dd.exe	91
PID 4676 wrote to memory of 2564	4676	1a1629b18c21bd85cdcd52f2f9f715dd.exe	91
PID 2564 wrote to memory of 2932	2564	77.exe	92
PID 2564 wrote to memory of 2932	2564	77.exe	92
PID 2564 wrote to memory of 2932	2564	77.exe	92
PID 2564 wrote to memory of 4584	2564	77.exe	93
PID 2564 wrote to memory of 4584	2564	77.exe	93
PID 2564 wrote to memory of 4584	2564	77.exe	93
PID 2428 wrote to memory of 2660	2428	360saf1.exe	95
PID 2428 wrote to memory of 2660	2428	360saf1.exe	95
PID 2428 wrote to memory of 2660	2428	360saf1.exe	95
PID 2428 wrote to memory of 2660	2428	360saf1.exe	95
PID 2428 wrote to memory of 2660	2428	360saf1.exe	95

C:\Users\Admin\AppData\Local\Temp\1a1629b18c21bd85cdcd52f2f9f715dd.exe
"C:\Users\Admin\AppData\Local\Temp\1a1629b18c21bd85cdcd52f2f9f715dd.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\77.exe
  C:\Users\Admin\AppData\Local\Temp\\77.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\360saf1.exe
    "C:\Windows\360saf1.exe"
    3⤵
    - Executes dropped EXE
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\77.exe > nul
    3⤵
    PID:4584

C:\Windows\360saf1.exe
C:\Windows\360saf1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 12
    3⤵
    - Program crash
    PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2660 -ip 2660
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\dnserrordiagoff[1]

Filesize
1KB

MD5
7e81a79f38695e467a49ee41dd24146d

SHA1
035e110c36bf3072525b05394f73d1ba54d0d316

SHA256
a705d1e0916a79b0d6e60c41a9ce301ed95b3fc00e927f940ab27061c208a536

SHA512
53c5f2f2b9ad8b555f9ae6644941cf2016108e803ea6ab2c7418e31e66874dea5a2bc04be0fa9766e7206617879520e730e9e3e0de136bae886c2e786082d622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R977VUU4\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R977VUU4\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\77.exe

Filesize
31KB

MD5
a78d03fdb023268833e60c4676335a86

SHA1
298b48caea19fb3ef2333c490427fffc7d28d208

SHA256
0fcbed45204a331614c2a9e911f39709775c6644939ca5f77d08ade9c5988444

SHA512
e9702ca220718b52784c3c10a6e8ff2746082686ab856462e08595848e02ee281d2263c1e1afed0aec6a5eb98e83beadcd6e1397aa3597f72c2db3cff6686168

Download Submit
memory/2660-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download